Security considerations when using OpenLDAP software

Source: Internet
Author: User
Keywords Monitor firewall security can
Tags access address aliyun closed computing configured different firewall

The OpenLDAP software is designed to work in a variety of computing environments, ranging from controllable closed networks to global Internet. So OpenLDAP software supports many different security mechanisms. This chapter describes these mechanisms and discusses security considerations when using OpenLDAP software.

Network security

Selective http://www.aliyun.com/zixun/aggregation/16742.html ">listening

By default, SLAPD (8) will be listening on any address of IPv4 and IPV6. It is useful to have SLAPD monitor on the selected address/port. For example, listening only on the IPV4 address 127.0.0.1 will not allow remote access to the directory service. As:

Slapd-h ldap://127.0.0.1

Although servers can be configured to listen on a particular interface address, it is not necessary to restrict which networks can access the server through that interface. To restrict remote access, it is recommended that you use an IP firewall for access restrictions.

For more information, see Command line Options and SLAPD (8).

IP Firewall

The IP firewall capabilities of the server system can be used to restrict access based on client IP addresses and network interfaces that communicate with clients.

Normally SLAPD (8) listens for the ldap://session on the port 389/tcp and listens on the port 636/tcp for the ldaps://session. SLAPD (8) can also be configured to monitor on other ports.

To explain how to configure an IP firewall, this depends on which IP firewall is being used, and no examples are provided here. Please refer to the documentation associated with your IP firewall.

TCP Wrappers

SLAPD (8) supports TCP warppers. TCP Warppers provides a rule-based access control system that controls the permissions of TCP/IP access servers. For example, the host_options (5) rule:

slapd:10.0.0.0/255.0.0.0 127.0.0.1:allow
Slapd:ALL:DENY

Only connections from private network 10.0.0.0 and localhost (127.0.0.1) are allowed to access the directory service. Note the IP addresses used as SLAPD (8) are typically not configured to perform a reverse lookup.

Note that the TCP warppers required connection is accepted. If a large amount of processing requires only a deny connection, it is often recommended that you use an IP firewall instead of the TCP warppers.

For more information on TCP warppers rules, see Hosts_access (5).

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.